Main menu

Tag Archives: penetration test

The journalist and blogger Kevin Townsend posted some interesting queries about the AMTSO or the Anti-Malware Testing Standards Organization. One question that surely caught the attention of many is, “Is AMTSO the anti-malware industry looking after itself?” Yes in some cases, but it can go bad when penetration testing and anti-malware testing goes awry. It is because good testing means better promotion for products, while bad testing will promote the bad ones – the ones that could cause unwarranted results and damages. That is not good.

You see, Townsend is not the only person having suspicious thought about AMTSO, Security Curve believes that AMTSO is a list of companies involved in the anti-virus industry. The list is not limited to them but also to non-vendors and influential testers in the security industry. However, their issues are 2 different things. Security Curve addresses the fact why AMTSO have members who are deeply connected to the anti-virus industry. It is an inappropriate conduct to have those who sell the product to test and criticize the product. And that the organization has to solicit the input of other testers, those who are known and considered to be experts in their field such as pen test or internet security.

However, Townsend sees the testers and the ones who are selling the software as two peas in a pod. He may have a point since, the testers and those sellers have some sort of symbiotic relationship. Testers need new product that they could test, while vendors need professionals who can test their products and provide data about them.

There is no such thing as monopoly on the millions of malware samples available. Information security labs have seen thousands of new and distinct malicious codes every day. Because of this interesting number, it has generated lots of problems, and that is not only in testing. It affects almost everything from the rational management of data to the exchange of samples, codes, data and also metadata. These issues are being faced together by testers and anti-virus sellers alike. Although the exchange between the two can be called as cheating by those who are outside the group, it is not some polluted and vile plot to make bias testing and results. The reason is that it is appropriate to share the data and samples to form and maintain a competitive edge and advantage with each other.

But in Townsend’s complaint, AMTSO doesn’t encourage other individuals and personalities outside of their circle to join them. We cannot argue that the security software has to be properly made sure that everything they are doing would help most users facing the brunt of attacks. However, AMTSO must inform and also educate the public and not just engage with them. Sadly, even if AMTSO is a non-profit organization, running the organization needs substantial amount of money, thus the fees are very expensive for regular people to take part with.

It doesn’t mean that opinion coming from the public doesn’t matter at all. In fact, public has the most influence on the cyber security industry today because of the money they use in purchasing the products of these companies, which are used in research in security and many more. The only reason why the representatives and the members of AMTSO are limited to some, it is because AMTSO are looking for experts; experts whom they can exchange information with and actually help in their roles in achieving a more secure Internet system. Before the public could say something against AMTSO, they must make sure that they know more about how the testing really works. In fact, they should apply for penetration testing training or any other security training, before they can say something against it or maybe help improve the system being tested.

Maybe, it would be much better if AMTSO would engage more with individuals like Townsend, but it is highly unlikely now. Most likely, it won’t become a “free for all”. But if this can be done sooner or later, then each side would surely look for ways to meet in the middle, like changing some things about AMTSO and how they conduct their practices. Perhaps, positive changes might happen like a cheaper membership for certain members, better information dissemination or others. We will just have to wait.

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in penetration testing.

Companies should stop telling themselves that their network security systems are enough against any cyber threats looming in the Internet’s horizon nowadays. In fact, they should stop waiting for these threats to happen in their systems before they take any action against it. The risk of these cyber crimes isn’t a laughing matter and imminent doom is the only thing that awaits irresponsible and reckless companies.

Because of the constant change in our world today, the threats in the network systems of companies are further evolving and it may come from any kind of vector – mobile phones person to person networks, social media, Emails, web applications and so much more. To make matters worse, the security defenses and methods the companies employ like the regular penetration testing and anti virus software is being left behind. The technologies and skills these cyber criminals employ are sometimes far more superior than any other IT experts working as security administrators in different companies.

Due to their superiority when it comes to skill and tools used in hacking, creating sophisticated codes for malware, spear phishing and bot nets, committing cyber crime nowadays is as easy as pie. As a matter of fact, some cyber criminals don’t even need to lift a finger to do a thing; everything he wants to be done will be accomplished by the software he an unwilling victim downloads.

Aside from that, cyber criminals who are expert in writing different sophisticated software used in cyber crimes can even sell their software on a certain price to other criminals who lack the sophistication, skills and knowledge to make their own code. Thus, anyone who wants to hack a certain establishment will be able to use sophisticated software to accomplish everything he needs to be accomplished. The best example of sophisticated malware that is being sold in the Internet nowadays is the ZeuS malware. This dangerous malware is highly sophisticated and can be programmed to do different task depending on the type of attack a ZeuS user may want; ZeuS can also be used in building a much potent threat – bot nets.

Many security experts are getting more and more concerned about the evolution of cyber crime. Furthermore, the integration of these cyber crimes into an organized crime has created a greater scope of threat in many industries today. Criminals in cyber underground can share the sensitive information they have or work together to build a team to take down the tough security systems of some company. It’s an A-team of criminals adept in making codes, decrypting encrypted files, intelligence gathering deploying malware and scanning company systems for vulnerabilities they can exploit.

Nowadays, cybercrime has become a profession to some individuals and the levels of professionalism they have can be amazing. Potential clients will approach cyber criminals in these underground forums where clients can hire them to initiate attacks to specific targets – of course on a certain price. They will pay these crooks to launch DDoS attacks, steal or destroy sensitive information or others. But before clients hire these crooks, clients would often ask them to show their skills and how good they are in their trade.

Still, not all cyber criminals assemble teams to work together for a single purpose; individual cyber criminals can work on their own because of their bot nets. And what motivates them in making these crimes is the cash they could acquire from different companies like banks and other financial institutions. But some of those criminals aren’t focusing on financial institutions only; why would they hack on banking networks where there are securities that are tough to break or circumvent. They would rather hack the networks of some large scale businesses and institutions like restaurants, universities and hospitals. They can still get the needed information of their target without having to face difficult security systems.

These threats aren’t only used in stealing or making profit from different companies, sometimes these threats are used in attacking different governments. Espionage has become easy because of the Internet; any country could steal important information or make any destabilization plots against the target country.

Indeed, whether it is the government or other private industries, it is important to strengthen their defenses against cybercrimes. They should explore the vulnerabilities of their systems which can be exploited; it is easy to identify the vulnerabilities of network by completing a simple pen test. It can only be done by an expert in network security who has completed penetration testing training.

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce. It is the owner and developer of 20 security certifications. EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. These certifications are recognized worldwide and have received endorsements from various government agencies. They also offer trainings in penetration testing.